A new ATM fraud scheme has surfaced, and it’s more sophisticated than any other ATM attack we’ve seen.

First reported by Krebs on Security, the fraud scheme, known as an “ATM cash-out,” goes well beyond the typical threat of attackers planting physical skimmers on ATM machines. The criminals have upped their game, compromising ATMs and their surrounding infrastructure virtually — and they are reaping an exponential increase in revenue.

Why This Is Not Your Typical ATM Attack

Until now, criminals have mainly compromised ATMs using physical methods. They might plant skimmers on the front of machines to capture payment card data as customers insert their cards, for example, or install a piece of hardware that manipulates the ATM to spit out money (aka jackpotting). This newly discovered attack is mainly virtual. It is also twofold: Criminals compromise both the front and back ends of the ATM infrastructure.

On the front end, criminals are compromising financial organizations’ people, processes and technologies to collect customer payment card data in bulk and create fraudulent cards. They use various methods, such as socially engineering an employee who manages the ATM network or exploiting an infrastructure vulnerability to plant malware. However they get in, they are using high-efficiency card collection techniques and gathering thousands of customers’ payment card information in one swoop.

On the back end, they’re manipulating components of the ATM network to change the maximum amount of money a customer can withdraw. With an endless amount of cash at their disposal, they could potentially drain a customer’s entire bank account.

The pairing of these attacks — coupled with the fact that they are virtual and much more efficient than previous ones — makes this scheme more dangerous than the typical ATM compromise.

How Can Organizations Protect Themselves Against ATM Fraud?

To protect themselves from this attack, organizations should monitor customer withdrawal limits. It’s not unusual for customers to change their withdrawal limits. However, if they see a few customers a day skyrocket to 500 customers a day changing their limits, that should raise a red flag.

Companies should also test their infrastructure vigorously and frequently. Security teams can stay one step ahead of fraudsters by conducting penetration tests against employees, searching for holes in organizational practices and implementing technology to uncover security vulnerabilities. By finding and fixing vulnerabilities within their ATMs and surrounding infrastructure quickly, organizations can minimize attackers’ opportunity to exploit them.

From 2017 to 2018, X-Force Red, IBM Security’s team of veteran hackers, saw a 300 percent increase in banks requesting ATM testing. The team is hired by financial organizations globally to hack into their applications, hardware, devices, personnel, ATMs and surrounding infrastructure using the same methods and tools criminals use. Once X-Force Red discovers these weaknesses, the team helps the organization to remediate them before criminals have a chance to compromise its systems.

When it comes specifically to ATM cash-out attacks, X-Force Red can test ATMs and their ecosystem, meaning the people, processes and technologies that connect to those ATMs. The team can also identify vulnerabilities that criminals would exploit in order to steal card data and manipulate the ATM’s network so that larger sums of money can be withdrawn. Finally, and most importantly, X-Force Red can help organizations remediate those vulnerabilities before criminals are able to exploit them.